我放弃:
我有一个 cronjob 脚本,我已经运行了好几年了(在 RHEL 6.7 机器上),用于通过 ssh 远程访问其他 RHEL 机器。在 RHEL5 和 6 上运行完美,但在 RHEL7 上失败。该脚本最简单的形式如下:
ssh -tttvi /home/robot/.ssh/passwdlesskey robot@${ThatIP} sudo -l
在所有远程计算机(RHEL6 和 7)上,相应的 sudoers 文件包含
Defaults requiretty
正如预期的那样,该脚本在 RHEL7 上从命令行执行良好。同样,从 cron 执行时,它在 RHEL 5 和 6 上有效,但在 7 上失败:
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
需要注意的一件事情是,在 RHEL7 服务器上运行命令行和 cron 时,SSH 输出有所不同
C R O N C O M M A N D L I N E
------------------------------------------------------------------------+------------------------------------------------------------------------
debug1: skipped DNS lookup for numerical hostname | debug1: skipped DNS lookup for numerical hostname
WARNING: ECDSA key found for host 10.96.16.108 | debug1: Host '10.96.16.108' is known and matches the ECDSA host key.
in /home/robot/.ssh/known_hosts:416 | debug1: Found key in /home/robot/.ssh/known_hosts:416
ECDSA key fingerprint ee:67:90:d3:c3:b8:db:c7:d3:6a:68:6a:78:fd:25:da. | debug1: SSH2_MSG_NEWKEYS sent
+--[ECDSA 256]---+ | debug1: expecting SSH2_MSG_NEWKEYS
| | | debug1: SSH2_MSG_NEWKEYS received
| | | debug1: Roaming not allowed by server
| | | debug1: SSH2_MSG_SERVICE_REQUEST sent
| | | debug1: SSH2_MSG_SERVICE_ACCEPT received
| S= | | debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
| .= + | | debug1: Next authentication method: publickey
| ..= +... | | debug1: Offering DSA public key: /home/robot/.ssh/passwdlesskey
| ..+.*o=o. | | debug1: Server accepts key: pkalg ssh-dss blen 433
| o+*o+Eo | | debug1: Authentication succeeded (publickey).
+-----------------+ | Authenticated to 10.96.16.108 ([10.96.16.108]:22).
| debug1: channel 0: new [client-session]
debug1: read_passphrase: can't open /dev/tty: No such device or address | debug1: Entering interactive session.
Host key verification failed. | debug1: Sending command: sudo -l
------------------------------------------------------------------------+------------------------------------------------------------------------
我有一个理论:类似于 scp/sftp 不喜欢交互式 shell 输出的方式,我发现 RHEL7 服务器显示的随机艺术干扰了我的脚本。但即使将 ssh -v 替换为 -q 也无济于事。
sshd 的 LogLevel 是 DEBUG2
Mar 9 10:51:01 rhel7test sshd[26198]: debug1: Forked child 26209.
Mar 9 10:51:01 rhel7test sshd[26209]: Set /proc/self/oom_score_adj to 0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: inetd sockets after dupping: 3, 3
Mar 9 10:51:01 rhel7test sshd[26209]: Connection from 10.96.16.148 port 55171 on 10.96.16.108 port 22
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Enabling compatibility mode for protocol 2.0
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: fd 3 setting O_NONBLOCK
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: Network child is on pid 26210
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SELinux support enabled [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: permanently_set_uid: 74/74 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: mac_setup: setup hmac-md5 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 0 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 504/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: bits set: 532/1024 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: monitor_read: 6 used once, disabling now
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: kex_derive_keys [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug2: set_newkeys: mode 1 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: Connection closed by 10.96.16.148 [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup [preauth]
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: monitor_read_log: child log fd closed
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: do_cleanup
Mar 9 10:51:01 rhel7test sshd[26209]: debug1: Killing privsep child 26210
读过类似的帖子,我已经
- 检查了 /dev/tty 上的权限
- 确保无密码密钥正确
- 确保 known_hosts 文件中没有冲突的条目
- 检查环境变量是否有任何异常
- 在执行端(-vvv)将调试提升到 3 级,但从输出中没有可以收集到的新信息。
最后,因为我确定会被问到,RHEL6 & 7 的 sshd_config
R H E L 7 R H E L 6
--------------------------------------------------------------------------------+---------------------------------------------------------------------
HostKey /etc/ssh/ssh_host_rsa_key |
HostKey /etc/ssh/ssh_host_ecdsa_key |
HostKey /etc/ssh/ssh_host_ed25519_key |
SyslogFacility AUTHPRIV | AUTHPRIV
LogLevel DEBUG2 |
PermitRootLogin no | no
StrictModes yes |
MaxAuthTries 3 |
MaxSessions 10 |
PubkeyAuthentication yes |
AuthorizedKeysFile .ssh/authorized_keys |
IgnoreRhosts yes |
PermitEmptyPasswords no |
PasswordAuthentication yes | yes
ChallengeResponseAuthentication no | no
GSSAPIAuthentication yes | yes
GSSAPICleanupCredentials no | yes
UsePAM yes | yes
X11Forwarding yes | yes
PrintMotd no |
PrintLastLog no |
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS | XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server | sftp /usr/libexec/openssh/sftp-server
所以我不知道问题的原因是什么。
答案1
它不是sudo要求 TTY,而是ssh要求客户端,它需要您执行有关 ssh 的唯一安全操作,这是您在建立安全连接之前必须执行的操作。它是主机密钥的验证,如果没有提前配置,则需要用户手动输入。它与系统版本无关,但与配置有关。
您需要将服务器主机密钥(公共部分)存储到客户端的known_hosts。有几种方法可以做到这一点:
robot以运行 cron () 的用户 ( )sudo -i -u robot身份尝试连接到远程服务器:ssh -i /home/robot/.ssh/passwdlesskey robot@${ThatIP}并手动在提示中输入“是”
使用
ssh-keyscan工具,它的作用完全相同,但不必以交互方式运行(确保如果以不同的用户身份运行它,目标用户将具有对该文件的正确访问权限):ssh-keyscan {ThatIP} >> /home/robot/.ssh/known_hosts
答案2
正如用户 VDR 所评论的那样,我需要补充
-o StrictHostKeyChecking=no
作为通过 cron 调用 ssh 时的附加选项。
答案3
同样的场景——我将目标系统从 CentOS 6 更新到 CentOS 7,突然我的 cron 作业会出现Host key validation failed错误,但如果我从命令行运行它,它就会没问题。我完全不知道这个ssh-keyscan工具,所以感谢 @Jakuje 对此的描述。在我的例子中,运行 ssh-keyscan 工具完全没有输出任何内容,所以我添加了-v,然后得到:
>ssh-keyscan -v hostname.example.com
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: hostname.example.com doesn't support ssh1
哎呀。看来源机器上的 SSH 不支持 SSH2。因此我查看了源系统上的 ssh 版本:
>sudo yum list installed | grep ssh
openssh.x86_64 4.3p2-82.el5 installed
openssh-askpass.x86_64 4.3p2-82.el5 installed
openssh-clients.x86_64 4.3p2-82.el5 installed
openssh-server.x86_64 4.3p2-82.el5 installed
不错。只落后几年。这篇文章 http://www.jbytechnologies.com/linux/sshd-add-dsa-key.html帮助我深入了解 CentOS 7 禁用 DSA 密钥。解决方案?在 CentOS 7 上生成并启用 DSA 密钥。但是,DSA 密钥比 RSA 弱,因此这会削弱我的新服务器的安全性。
就我而言,最佳解决方案是:在源机器上升级 openssh。